Perform the following steps to enable support for CRLs
larger than the limit of approximately 32KB.
Before you begin
You need to be familiar with the z/OS® UNIX file
systems.
Procedure
- Configure a z/OS file
system to hold CRLs. If you run multiple instances of PKI Services
in a Parallel Sysplex® (one
per image), ensure that the file system is shared with each PKI Services
instance in the sysplex. For information about managing the z/OS UNIX file
system, see z/OS UNIX System Services Planning.
_______________________________________________________________
- Set the value of the LargeCRLPostPath parameter
in the CertPolicy section of the PKI Services configuration
file, pkiserv.conf, to the full path of the var directory
where PKI Services is to save each CRL for posting to LDAP. The default
value is /var/pkiserv/. You can specify the value
with or without the trailing slash. The value of LargeCRLPostPath can
be the same as the value of CRLDistDirPath.
Guideline: If you are customizing this value for a
CA domain, specify a directory name that contains the CA domain name,
for example /var/pkiserv/employees/, where employees is
the domain name.
_______________________________________________________________
- Set the value of the EnableLargeCRLPosting parameter
in the CertPolicy section of the PKI Services configuration
file, pkiserv.conf, to T.
_______________________________________________________________
- Restart PKI Services.
Your changes to the pkiserv.conf file do not take
effect until you do this. For information about starting PKI Services see Starting and stopping PKI Services.
_______________________________________________________________
Results
When you are done, you have enabled support for large CRLs,
and CRLs are no longer limited to approximately 32KB in size.